Showing posts with label Errata. Show all posts
Showing posts with label Errata. Show all posts

Tuesday, November 02, 2010

A discussion at SecTor on Rogue Secure Development

Last week I presented a new methodology for developing secure code called Rogue Secure Development(pdf). The talk was at SecTor in Toronto, and afterwards a lively discussion took place concerning the adoption of such a methodology. RSD is a 5 phase process that bakes in with the traditional Waterfall SDLC and focuses on bare-bones resource requirements for SMBs. The question I put forth to the audience was:

If there is a process that requires minimal amounts of resources, saves money, and creates robust code, what will it take to increase adoption?

There were many answers, but they were all summed up succinctly in 4 options.

1. People are killed, and a lack of a secure coding methodology is directly to blame.
2. Companies go bankrupt, and a lack of a secure coding methodology is directly to blame.
3. A nuclear power plant has a catastrophic meltdown, and a lack of a secure coding methodology is directly to blame.
4. Compliance forces adoption.

I found these dramatic and macabre options disturbing, so I asked, "Is there no business case for secure coding? No cost saving analysis? No risk management prescription?" The consensus in the room was that my suggestions, while potentially possible, weren't going to persuade anybody to break from the status quo. Interestingly, the only factor that seemed to have complete persuasive power was Compliance. In this particular audience, the threat of fines was more of a motivating stick than I've ever seen previously.

In March 2010, Errata did a study asking people what reasons they had if they were not using a secure development lifecycle. By far the most popular answer was resource constraints. The 4 options above would imply that, at least according to security folks, the reason people do not adopt secure coding is because of some black and white risk assessment telling them they are not in danger. So, does this mean that the people in the study aren't being honest with themselves, or that security professionals are out of touch with the motives of the development shops?
By 4 comments: Links to this post
Labels: , , , ,

Monday, May 12, 2008

New Team Member at Errata Security

Hi Everyone,

I'm Marisa and I am the new product manager for Errata's ProtoDev line of products. If you have feature requests for Ferret/Hamster, LookingGlass, or AxBan you can contact me at marisa@erratasec.com.

I'll also be contributing to the blog from time to time about the latest ProtoDev news and updates. It's really great to be a part of the Errata team, and I look forward to hearing from you all!

-marisa
By 1 comment: Links to this post
Labels: , , , , , ,

Sunday, October 21, 2007

Vote which of us gets tazed

Tazers and stun guns have been in the news lately, from intelligence agencies electrocuting suspects to student demonstrators getting tazed by campus police. In order to celebrate the 1-year founding of Errata Security, we have decided therefore that it's time that ONE of the founders gets tazed by a 100,000 volt stun gun.

We have set up a poll (part of a google blog feature) on the right-hand-side of this page. Vote for which founder you would like to see tazed. We will post the results Friday afternoon, with a video of the "winner" getting his just reward.

Dave would claim that Rob hates puppies and often has fields of daffodils paved over. However, Rob would like point out something evil about Dave Maynor, but can't figure out anything more evil than DAVE MAYNOR.
By 6 comments: Links to this post
Labels: ,
Subscribe to: Posts (Atom)